California Broadband Internet Privacy Bill a Model for the States

The repeal of the Federal Communication Commission’s (FCC) broadband privacy rules was a sad day for Americans, but there was a silver lining. The resulting public outcry was the loudest that I’ve ever heard in many years of trying to promote privacy rights; clear and tangible evidence that people really do care about their data and want to have control over what companies do with it.

Now the states have stepped up to the plate, with privacy bills popping up from Hawaii to Maryland. On June 19, California Assemblymember Ed Chau introduced AB 375, a bill to give people in that state the broadband privacy rights that they lost in Congress. This legislation has all of the key elements that are needed to protect broadband users’ privacy:

  • It has a comprehensive definition of “customer personal information” that includes not only the standard identifiers (name, address, etc.) and demographic information but also peoples’ locations when they access their broadband service, their web browsing history and app use, and their device identification.
  • It distinguishes between “aggregate customer information,” which can’t be tracked back to specific individuals, and “de-identified” information, which in some cases can be;
  • It allows internet service providers to use, disclose, sell, or permit access to customers’ personal information only if they’ve clearly explained what types of information would be involved, how it would be used, and what types of entities would get it, and those customers have taken a step to say “yes” (opt-in). There are reasonable exceptions for internet service providers to use the data to market their communications services to customers and for certain operational and safety purposes;
  • It gives customers the right to say “no” (opt-out) to prevent their internet service providers from using their personal data to market their services to them;
  • It forbids internet service providers to refuse to serve customers or charge them a penalty for not agreeing to use or share their data, or to offer a discount in exchange for their consent (which penalizes people who want to protect their privacy but can’t afford to pay more to do so);
  • It requires internet service providers to keep customers’ information safe and secure and forbids them from keeping it longer than is reasonably necessary.

With a population and economy that are larger than those of many countries, California wields great influence. So we can expect that this bill will be fiercely attacked by internet service providers, online advertisers, and even by companies that wouldn’t be covered but don’t like the precedent that it could set. Let’s deal with some of the arguments that are likely to be made against it:

This will lead to a patchwork on state laws, we need to deal with broadband privacy on a national basis.

Well, the FCC rules were national. Opponents of the rules urged Congress to kill them by using the Congressional Review Act, a blunt instrument that also prevents the FCC from ever proposing substantially similar rules again. They only have themselves to blame for the fact that states are now taking action to protect their constituents’ privacy.

You didn’t really lose anything because the FCC rules had not taken effect yet.

Wrong, we lost the progress that we were making on online privacy. The FCC’s existing privacy rules were originally meant to protect our telephone records. When the FCC decided in 2015 that broadband should be treated as a communications service, the rules needed to be updated to spell out exactly how internet service providers should protect their customers’ privacy. This was the first time that there were federal rules for online privacy (except for rules concerning children’s online privacy). Their repeal sent us backwards. It’s a big loss.

We don’t need this legislation because internet service providers don’t sell customers’ data.

In the debate about broadband privacy, many people, including me, have used the word “sell” as a shorthand for how internet service providers make money from customers’ data. What they’re actually doing is more complicated, but in essence it’s selling us. They’re profiling us – their customers – based on the websites we visit, what we do there, where we are when we access their services, and other information about us, and using those profiles to advertise to us on behalf of other companies. They profit from doing so. This analysis is invisible to us and as marketing becomes ever-more personalized it raises concerns about our being treated unfairly. But even more fundamentally, we need legislation to help enforce our right to decide if and when information from our use of communications services can be used or shared for purposes other than providing us with the service that we’re paying for.

It’s not fair that companies like Facebook and Google, which also profit from collecting and using people’s personal information, aren’t covered by this legislation.

Because internet service providers collect personal information when we sign up and pay for their services and they can also see everywhere we go online, what we do, and where we are, they can create much more expansive profiles of us than Google or Facebook. Sure, there are concerns about the personal information that search engines, social media sites, and other types of companies can collect and how it can be used, and we need to figure out how to address them. But in the special category of communications services we can and should move forward immediately to protect broadband users’ privacy, using the repealed FCC rules as a model. That’s what the California bill does.

This legislation will stifle innovation.

Huh? Surely we don’t have to sacrifice the privacy of our communications in order for great new products and services to be developed. American innovation won’t stop – it will be even more successful when it’s built on the solid foundation of respect for our rights.    

States have long recognized the importance of protecting privacy. There’s no federal law that requires commercial websites to post their privacy policies, but California and Delaware require it. There are state laws protecting the privacy of e-book users, and on biometrics, monitoring of employees’ email, data security, and much more. The California Broadband Internet Privacy Act is another example of states leading the way. Consumer Federation of America strongly endorses it.